Commentary on the economic , geopolitical and simply fascinating things going on. Served occasionally with a side of snark.

Sunday, February 9, 2014

Why Mt. Gox, the World’s First Bitcoin Exchange, is Dying - the travails of Mt Gox after suspending withdrawals on Friday February 7 , 2014 and promising customers an update Monday February 10, 2014 , bitcoin customers of Mt Gox and the bitcoin world wait to see whether the withdrawal problem was just a technical issue or whether insolvency is the true situation ? Coin Searcher three day protest at Mt Gox and varied points of view regarding Mt Gox set forth......Another Major Bitcoin Exchange ( Local Bitcoins.com ) May Be In Deep Trouble After A Bust In Florida ........ Additional news include examining bitcoin business growth globally ........ Second Market buying bitcoin from the public - just as Mt Gox issue erupted ....... Coinbase stepping up security features with new API Key....

The Embarrassing Fact MtGox Left Out Of Their Press Release: Their Bad Code Hygiene Was The Direct Cause Of Problems

5

+96

CRYPTOCURRENCY

CRYPTOCURRENCY

Yesterday, the bitcoin exchange MtGox – riddled by problems – issued a press release saying the bitcoin protocol was to blame for its ongoing problems. That statement, which caused the markets to nosedive temporarily, is outright false. The problem is, and was, bad code hygiene in the MtGox exchange itself. Here are the details.

Yesterday, when MtGox blamed “transaction malleability” as the cause of MtGox’ problems, implying that the problems at MtGox affected all exchanges and everything bitcoin, that was a sign of a very elastic relationship with facts. It’s true that transaction malleability was a factor, but not nearly in the way that MtGox implied. (We’ll be returning to what the “malleability” is.)

Here’s the real problem: MtGox is running its own homebuilt bitcoin software, and has not cared to update and upgrade that software along with the developments of the bitcoin protocol. Recently, after a very long grace period, the bitcoin protocol tightened slightly in order to disallow unnecessary information in transaction records, and did this to fix the malleability problem that MtGox blamed.

So the problem of malleability remained at MtGox, while having been fixed in the rest of the world. This – the discrepancy itself – was the root cause of the problem, because it meant that MtGox started issuing invalid transaction records for bitcoin withdrawals. Obviously, they were rejected by the bitcoin network.

Let me explain in a bit more detail.

When you write an amount of money, say twenty-three thousand four hundred and twenty-two dollars and fifty-four cents, you typically write that as $23,422.54. But it would also be valid to write it as $0,023,422.54. Or $0,000,023,422.54. This fact – that one number can be written in many ways, all valid – is the malleability. (For the sake of completeness, it wasn’t the amount, but another number in the transaction record that was concerned.)

This was tightened in the bitcoin protocol to only allow the shortest version of writing a number, $23,422.54, in this specific code change, which happened a whole year ago.

This change was ignored by MtGox, if I may speculate, probably because “it kept working anyway”. That is, until bitcoin 0.8, when the core developers decided to enforce this change across the protocol, having had the tightening published for over a year. The moment bitcoin 0.8+ gained majority deployment on the network, such invalid transactions started getting rejected.

In other words, MtGox’ lack of code hygiene and lack of very basic IT release processes led to the MtGox code getting out of sync with the bitcoin protocol itself. It kept writing numbers in a way that wasn’t always the shortest possible way in some of its transaction records, and therefore, the inevitable happened: those transaction records were rejected by the bitcoin network.

As a complete side note, this situation is well described by a saying in Sweden that we use to honor our neighboring Finns and their gung-ho attitude toward life, the universe, and everything. The saying is supposed to be pronounced slowly with a slight sauna-induced slur and a strong Finnish accent, like such:

00:00

00:04

Now, let’s return to MtGox’ press release. There, they state that skilled hackers had the ability to rewrite bitcoin withdrawals with the speed of lightning before they reached the bitcoin network, implying that hackers changed valid transactions enroute. This, skilled hacking, was the cause of all their problems, they claimed. But that’s not what happened at all. MtGox were creating invalid transaction records for some small but significant portion of their bitcoin withdrawals.

What this means is that MtGox wasn’t the subject of some skilled hacking related to transaction malleability. Instead, bad code hygiene was causing MtGox to broadcast invalid transactions, which could trivially be corrected and re-broadcast, causing all these problems downstream.

This, in turn, leads to all the described problems with double-spending, internal databases of account records getting out of sync with the blockchain records, et cetera. Once somebody has corrected one of MtGox’ malformed transactions and re-broadcast it, MtGox would still consider it unsuccessful, making things go out of sync.

So, is this hard to do the right way? No. I can say that authoritatively – I spent seven years as a CTO-for-hire putting exactly these kinds of hygiene, accountability, trackability, and predictability processes into place at startups with growth pains, saving more than one startup from the blame-game death spiral. MtGox is dying from the lack of a very basic leadership and management toolkit.

Oh, and that Swedish saying about the Finns in the audio clip above? The one that references how the protocol strictness tightened but MtGox went gung-ho ahead anyway? It means “The road turned, but Pekka didn’t”.

DISCLOSUREThe author is personally affected by the MtGox malfunction, having a five-figure dollar amount in stuck unprocessed bitcoin withdrawals.

As a final note, I can’t help feeling a bit of immature glee at all the doomsday sayers that screamed crash! all over the media, who seemed just waiting to pounce on the opportunity to declare Bitcoin dead. Uhm, yeah. It turns out that over the whole day of February 10, the Bitcoin price fell a total of 19 US cents. As of this writing (01:30 UTC on Feb 11), it’s up a bit (705) from where it opened yesterday (688).

Sources: this post by TheComputerScientist, this post by nullc (Greg Maxwell), and a few other sources whose identity I’ll protect.

http://market-ticker.org/akcs-www?post=228401

( Note the portion that discusses frozen fiat withdrawals - emphasis USD but who knows how extensive problems might be with other currencies ? Good explanation on Exchange protocol .... )

When Is An Exchange Not An Exchange?

The question above is answered thus:

Whenever the so-called exchange has an actual position, and thus is exposed to loss.
An exchange is never supposed to be able to take a loss, as they are only a facilitator between a buyer and seller. Their protocols thus should be designed to detect attempts to defraud either side of a transaction and hold the transaction in a "pending" state until it is ascertained that the transaction is "good", at which point both sides are released in an atomic operation.

As you are aware, the MtGox team has been working hard to address an issue with the way that bitcoin withdrawals are processed. By "bitcoin withdrawal" we are referring to transactions from a MtGox bitcoin wallet to an external bitcoin address. Bitcoin transactions to any MtGox bitcoin address, and currency withdrawals (Yen, Euro, etc) are not affected by this issue.

There are also means to mitigate against someone trying to exploit it, albeit not trivial ones. In other words, as Mt. Gox puts it, detecting this is not "efficient."

But -- if a particular service holds the transaction in a pending state until it is either confirmed or refuted then the problem doesn't arise as you can't double-spend. The person who tries to scam using this scheme thus fails in their attempt, while the person who does not sees normal transaction clearing times.

In addition, if this does not impact exchanges to other forms of currency as Mt. Gox claims, why are there apparent issues with exchanges to those other forms of currency?
There's no way to know as this is not being addressed.

But -- an exchange is not supposed to design its operations in a form or fashion that leaves it exposed to valuation or transaction risk. That is and to repeat with emphasis, an exchange by definition is a service that earns its funds by facilitating two unaffiliated parties engaging in a transaction.
I would love to see evidence that any of the existing so-called exchanges meet this definition. Indeed, before doing business with any of them I would demand that under strict proof, because if that is not the case then you are at risk as their customer, and that's not what you signed up for.

Bitcoin Flash Crashes, Drops By 80% In Seconds

Now that Bitcoin exchange Mt.Gox has terminally discredited itself following the latest, and likely last, withdrawal halt announced late last week which sent the value of Bitcoin tumbling by 25%, Bitcoin traders are left with just two exchange options on which to transact: BTC-e and Bitstamp. And for those using the former to buy and sell the virtual digital currency, things went from bad to worse a few short hours ago, when Bitcoin had its very own "Waddell and Reed" moment, when the price of Bitcoin cratered by over 80% in the span of seconds, after a modest block of just under 6000 Bitcoins sent the price plunging from over $600 to $102.

However, market gymnastics may just be the tip of the iceberg - a far bigger issue, one we have been warning about since the last March surge in Bitcoin's dollar price, is that the crackdown on Bitcoin both in the US (see "Miami Bitcoin Arrests May Be First State Prosecution"), and around the world (in Russia Bitcoin was just declared illegal) is finally heating up. It's only going to get worse in an insolvent world desperate to halt money laundering.

And since digital currency advocates have finally realized they can't hold the electronic 1s and 0s in their hand in a worst case scenario, the biggest winner of the latest Bitcoin crash is none other than the real alternative currency (in Paul Singer's words), gold, which moments ago just hit a one month high and rising.

CoinDesk Removes Mt. Gox from Bitcoin Price Index

CoinDesk has removed Mt. Gox from the Bitcoin Price Index today (as of 16:00 GMT), due to its persistent failure to meet the Index’s standards for inclusion.

Ultimately, the decision to remove Mt. Gox from the BPI was prompted by Friday’s announcement that bitcoin (BTC) withdrawals had been suspended until Monday, and today’s follow-up announcement that bitcoin withdrawals would now be suspended indefinitely. This was due to a previously known technical issue with Mt. Gox’s custom wallet implementation of the Bitcoin core protocol.

However, these recent withdrawal restrictions are just the latest in a series of issues which have made Mt. Gox’s inclusion in the BPI problematic.

Concerns over Mt. Gox’s price variance

A concern separate from timely customer withdrawals which had recently commanded attention was the expansion of the so-called ‘Mt. Gox premium’.

For example, on 28th January, Mt. Gox customers were paying more than 25% more for bitcoins than customers on BTC-e, another BPI component exchange.

The issue of price dispersion across the many different bitcoin exchanges was part of CoinDesk’s original rationale behind the Bitcoin Price Index, and some ongoing dispersion is to be expected for reasons ranging from differences in bitcoin regulation across the globe to the overall maturity of the exchange market for bitcoins.

However, the price dispersion between two other BPI components, Bitstamp andBTC-e, has recently remained in the low single-digit percent range, raising concerns over whether bitcoin prices quoted on Gox were representative of the overall market.

Concerns over excessive price dispersion at Mt. Gox, however, have since subsided as the Gox premium compressed into single percentage digits since 28th January.

Customers’ love-hate relationship with Mt. Gox

Complaints over withdrawal delays at Mt. Gox are nothing new, having dogged the exchange since the first-half of 2013, when Mt. Gox first ran afoul with US regulators after its failure to register as a money transmitter.

Throughout the first-half of 2013, Mt. Gox commanded a very high share of bitcoin trading volume, leaving many feeling that, in spite of its withdrawal issues, Mt. Gox was still a viable option given the available alternatives.

However, as the year progressed Mt. Gox’s market share in total bitcoin trading volume steadily eroded, and in late-2013 Mt. Gox was eclipsed as the number one Bitcoin exchange, first by BTC-China and then Bitstamp.

Mt. Gox’s persistent withdrawal problems

CoinDesk has been working diligently to independently verify complaints. We recently ran an open poll about Mt. Gox to gather additional details from customers, and a number of Mt. Gox customers have shared their experiences with CoinDesk in confidence.

One recent high-profile example was a Mt. Gox customer who flew to Tokyo to protest outside Gox’s offices over withdrawal delays, alas to no avail.

Importance of timely customer withdrawals

The ability of exchange customers to obtain timely withdrawals is a criterion of the Bitcoin Price Index. Specifically, point 6 in the BPI criteria states:

“Banking and/or bitcoin transfers in or out of the exchange must be completed within seven business days, if deposit and withdrawal methods are not offered for various countries and/or currencies.”

Mt. Gox has been unable to consistently meet this criterion. Also of concern has been Mt. Gox’s failure to provide a sufficiently credible explanation for why the problem is occurring, or a detailed plan/timeline for when the problem of timely customer withdrawals will be resolved.

An exchange’s ability to execute timely customer withdrawals is an important BPI criterion for several reasons.

If timely customer withdrawals are not possible then this could have an influence on the accuracy of the exchange’s price discovery mechanism. For example, customers of Mt. Gox were often thought to be trading bitcoins at rates beyond their value on other exchanges so that they could more easily transfer BTC out of the exchange. In recent days the reverse has occurred, with the ‘Mt. Gox Premium’ becoming a discount during certain periods.

Customer withdrawal delays may be a symptom of other serious problems at the exchange which are difficult to independently verify, such as internal technical issues, legal/regulatory inquiries, or the exchange’s solvency.

CoinDesk has removed Mt. Gox from the calculation of the Bitcoin Price Index effective today at 16:00 GMT.

About the Bitcoin Price Index

Launched in September 2013, the CoinDesk Bitcoin Price Index represents an average of bitcoin prices across leading global exchanges that meet criteria specified by CoinDesk.

The BPI is intended to serve as a standard retail price reference for industry participants and accounting professionals.

The CoinDesk BPI is a professionally curated index with a combination of quantitative and qualitative data points under consideration. Selective criteria such as price volatility, inconsistencies in processing withdrawals, and standard deviation from the mean all play a factor in exchange inclusion.

CoinDesk’s goal is to include all exchanges which meet the BPI criteria in the Price Index so that the Index provides the most accurate, representative real-time measure of bitcoin’s price.

When I saw Bitcoin trading at close to one thousand dollars, I wanted to kick myself! I should have seen it coming, a limited supply and a lot of hype and demand — it looks obvious in hindsight, as many things do.

And I can't excuse myself by claiming not to have been fully aware of Bitcoin, when it was trading far below ten dollars. My well-known libertarian leanings meant that a number of like-minded friends encouraged me to get involved in this new, non-statist, unregulated experiment. Shame on me, for not listening. I hope at least they made a lot of money.

The main reason, however, I did not get involved was longer-term concerns about the viability of Bitcoin, and in my view, those concerns still remain.

Bitcoin has been in the news a lot lately — and not all of it positive, such as the recent arrest of a Bitcoin trader in New York on money laundering charges.

I think Bitcoin has made a mistake by keeping its owners anonymous, although some users — including some highly undesirable ones — are embracing it for that very reason. This offers authorities an excellent excuse to ban it whenever, and wherever they wish. And this could easily be an unfair ban under false pretences simply because the authorities don't like the competition. China and Russia are just the first to react, I fear.

Due to the nature of its structure, banning Bitcoin will of course not eradicate it. But what it will do is make it impossible for law-abiding individuals and businesses to use it — and thereby render it practically useless anyway. So the false sense of security the, admittedly, irrepressible network provides Bitcoin will really not count for much, if there is a concerted move to restrict the Bitcoin market. I think therefore that it may well be advisable to accept and embrace some degree of regulation, although it will be counter-intuitive to many fans, if only to prevent an even worse reaction from governments that are not pleased to see their money printing monopoly challenged.

Of course, for early buyers wiser than me, the huge price rally has been terrific, but it also carries some negative consequences. I think the elevated price and huge volatility — it has swung from a high of USD 1,242 in late November to around USD 500 in hours — will make it more difficult to gain acceptance among serious businesses.

So I think Bitcoin will face serious challenges in the long run, although I believe such digital currencies could have a place in the economy in more well thought-through structures with values better linked to real assets. There is no doubt that many central banks have made a mess of things with their own fiat money without linkage to reality, and it is entirely conceivable that the private sector could also in the area of currencies do a better job than public sector institutions. It does in pretty much every other area under the sun, so why not here?

Anything in the financial space that can be regulated will be regulated. Get used to it! This will also apply to digital currencies. But regulation could be their ticket to real acceptance and success — and should therefore not be seen only as a negative.

Bitcoin is still a very small part of the economic system and will not pose a serious threat to more established models any time soon. But if it does one day and it overcomes regulatory issues, it will be embraced.

Bitcoin is increasingly used by migrant workers to transfer money back home, and is therefore beginning to serve really genuine purposes, not just ideological ones, which is promising to see.

The extreme volatility and opaque ownership structure definitely poses a risk to all users of Bitcoin. And I believe there will be new and better models developing over time. It is rare that the first mover wins and takes all, and given the weaknesses mentioned above, I believe there is a lot of room for improvements.

There are at least 80 known similar initiatives out there, and of course most of them will fail.But I know personally of a couple of projects in the design phase that in my view are better constructions, and will be able to obtain rapid distribution, making them real competitors to Bitcoin. When they launch, I promise myself that I will be less cautious and also that readers of this blog will get to know about it at an early stage, so watch this space!

Saxo Bank does not currently offer trading in Bitcoin due to the concerns listed here. But we are reviewing the digital currency space on an ongoing basis, so we may revise this at a later stage.

( Mt Gox statement confirms it has become a roach motel - no bitcoin withdrawals will be coming anytime soon for customers of Mt Gox . However , fiat can be withdrawn , which one can assume will be happening . And the kicker is Mt Gox say the bitcoin withdrawal problem is not just a Mt Gox issue , but applies to any Exchange ! )

Price Drops as Mt. Gox Blames Bitcoin Flaw for Withdrawal Delays

Mt. Gox has issued a statement in an effort to address concerns raised by users after it suspended bitcoin withdrawals late last week. The exchange insists it is working hard to address a technical issue that has made it impossible for users to make transfers.

The company also points out that currency withdrawals and transfers to any Mt. Gox address are not affected by the issue.

Mt. Gox stressed that the problem is not limited to its exchange – it affects all transactions where bitcoins are sent to a third party. Once the problem was identified, Mt. Gox chose to suspend bitcoin withdrawals until it can be resolved.

Geeky and non-geeky explanation

Mt. Gox offered two explanations for laymen and tech-savvy users. In essence, Mt. Gox says it identified a bug in the Bitcoin software that makes it possible for someone to use the network to alter transaction details, making it seem like bitcoins had not been sent to a bitcoin wallet, when in fact they had.

“Since the transaction appears as if it has not proceeded correctly, the bitcoins may be re-sent. Mt. Gox is working with the Bitcoin core development team and others to mitigate this issue,” Mt. Gox said.

The technical explanation is a lot more detailed.

It points out that bitcoin transactions are subject to a design flaw that has been largely ingored, although it was known to “at least a part” of the Bitcoin core development community. The defect is known as “transaction malleability” and it allows third parties to alter the hash of a fresh transaction without invalidating the signature. Mt. Gox explains:

“Of course only one of the two transactions can be validated. However, if the party who altered the transaction is fast enough, for example with a direct connection to different mining pools, or has even a small amount of mining power, it can easily cause the transaction hash alteration to be committed to the blockchain.”

The “sendtoaddress” API returns a transaction hash as a way to track the insertion of the transaction into the block chain. Since most wallet and exchange services keep a record of this in order to respond to users who make inquiries about their transactions, they could assume that the transaction was not sent – as it would not appear in the block chain with the original hash. For the time being, there is no way of efficiently recognizing alternative transactions.

“This means that an individual could request bitcoins from an exchange or wallet service, alter the resulting transaction’s hash before inclusion in the blockchain, then contact the issuing service while claiming the transaction did not proceed. If the alteration fails, the user can simply send the bitcoins back and try again until successful.”

Working on a fix

Mt. Gox believes the problem can be addressed by using a different hash for transaction tracking purposes. The network would continue to employ the current hash for the purpose of including the transaction in each block’s Merkle Tree, while the new hash would be used to track transactions and it could be computed and indexed by hashing the exact signed string via SHA 256, the same way transactions are hashed.

“This new transaction hash will allow signing parties to keep track of any transaction they have signed and can easily be computed, even for past transactions,” Mt. Gox said. “We have discussed this solution with the Bitcoin core developers and will allow bitcoin withdrawals again once it has been approved and standardized.”

In the meantime Mt. Gox is urging exchanges and wallet services, as well as any other service that sends bitcoins directly to third parties, to be “extremely careful” with anyone claiming their transaction did not go through. The issue also affects altcoins using the same transaction scheme as Bitcoin.

The exchange says it will try to resume withdrawals as soon as possible:

“Mt. Gox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers.”

Mt. Gox also noted that more information on the status of the issue will be released as soon as it is available – but for now users will not be able to make bitcoin withdrawals. The fix can’t come soon enough, as the problems have caused a selling frenzy in some circles.

Price fall

Since the announcement was published, the price of bitcoin has witnessed a steep decline. The CoinDesk Bitcoin Price Index shows a sharp fall from $681 at 10:00 (GMT) to $572 at the time of writing.

Mt. Gox Official Statement

Essentially, they are claiming they can’t release customers’ funds until a known bug in the Bitcoin protocol is resolved.

The market is reacting very negatively to the Gox announcement, falling ~$160 on high volume since the news.

Greg Maxwell Responds

I spoke with Bitcoin core developer, Greg Maxwell, about this highly technical issue. Greg Maxwell and Peter Wuille are the core developers in consultation with Mt. Gox, as per their press release.

<gmaxwell> The Gox press release seems a little ‘spun’ to me. They portray characteristics of the Bitcoin system well known since at least 2011 (which even have their own wiki page ) as something new.

These characteristics are annoying but don’t inhibit basic operation. They are slowly being fixed – but fixing them completely will likely take years as they require changing all wallet software. Correctly-written wallet software can cope with the consequences, and I cannot understand why they would gate their withdraws on external changes.

<GG> Andreas Antonopolous has examined Gox’s code to some degree, and remarked that they are using a strange “hodgepodge of technologies that are really not suitable for running an exchange.” Do you believe the problem lies in their code rather than the Bitcoin protocol?

<gmaxwell> Oh there is a “problem” in the Bitcoin protocol, known since at least 2011 (see the link I gave). But for normal applications, not involving unconfirmed transactions, it shouldn’t cause any severe problems because wallets can handle it locally.

Basically, third parties can change the transaction IDs of transactions. This means what wallet software must be written to accomodate that and still recognize them when that happens.

What the press release talks about is adding a second kind of transaction ID, which is robust against changes, which would be helpful for tech support purposes. Though it doesn’t resolve all of the issues that being able to modify transactions presents.

<GG> So in other words, Gox should be able to account for this known problem by modifying their internal systems?

<gmaxwell> Yes, internal only changes should account for it. The only remaining issue for Mt. Gox’s application would be some tech support problems, where if a user’s transaction is mutated by a malicious party the txid ["transaction ID"] Mt. Gox told them to expect wouldn’t be the one that ultimately showed up in the blockchain.

<GG> It seems the market is reacting very negatively to the news. What advice would you give to the average Bitcoiner regarding this situation?

<gmaxwell> The challenge for me in offering something here is that this isn’t news to me – for years – and it’s never been a particularly large concern. This wouldn’t make the top ten list of dangers in the Bitcoin technology.

<GG> Thanks for your comments.

-

Update: as of 13:35 GMT+2, the market has retraced about 60% of the recent loss as the news is digested.

In my personal opinion, Gox have done more harm to the Bitcoin community than good to themselves through their statement. This situation should have been handled in such a way as to minimize the market impact.

If you need a quick answer: there’s no bug in the Bitcoin itself. You may go to Bitstamp/Coinbase/BTC-E/Bitcoin-Central and buy more BTC with a huge discount before it gets back to $800-$900.

Long answer:

Unconfirmed Bitcoin transactions were always “malleable”, that is you can slightly change a transaction that “floats around” (not yet in the blockchain) and you wouldn’t break its signatures. You can’t change something important about it, like source transactions, amounts, order of inputs and outputs or other important metadata. What you can change is add some bogus data or flip a sign on a signature that doesn’t change the meaning of the transaction, but changes its content.

What it means is this: you may send transaction ABC123, then someone may see it on the network, change slightly to ABC124 and issue too. If he gets lucky, ABC124 will be included first and ABC123 will never be included (because it’d be a double-spend). There’s no problem for the recipient of the transaction: they will still get all their money on the address they expect. But if they were watching the blockchain specifically for transaction ABC123, they will never find it there.

MtGox claims to be fooled this way:

User asks MtGox to withdraw some bitcoins to some address of the user’s choice.

MtGox takes some of its own “unspent transaction outputs” and composes a transaction which sends funds to the user’s address.

MtGox remembers a hash of that transaction (unique fingerprint of its contents) and begins to watch the blockchain for this hash to appear in it.

User or someone else sees unconfirmed MtGox transaction in the p2p network. He changes some bytes in it to keep it valid, but make it different to change its hash.

New, modified transaction gets included in the blockchain. MtGox has sent money where needed, but does not know about it. User also got the funds no problem - his personal wallet will show that he has the funds.

Then, user goes to MtGox support and complains that the money did not go through. Or, MtGox themselves see that they’ve been watching for transaction for too long and could automatically re-send another transaction that sends some other “unspent tx outputs” to the same address (sort of, to “retry” the transaction). One way or another, it creates a lot of confusion for MtGox and initially may even lead them to sending the same money twice, or multiple times to the same user.

Is it a design issue in Bitcoin to allow slight changes in the transactions? Yes, probably is. But it’s not entirely clear how it can be prevented at all. An immediate fix would disallow potentially useful more complex transactions and require a global network consensus to enforce new behavior.

MtGox had this problem because they didn’t know about this Bitcoin property. And for most of the time transactions were not deliberately modified by anyone, so it was okay for most of the time.

MtGox should fix the problem this way: instead of watching blockchain for appearance of the specific hash of a specific transaction, they instead should watch if the address X (specified by user) got amount N (specified by user) from outputs Y, Z and W (used by MtGox). This would guarantee that even if transaction is modified, they will see for sure if the users actually got the money intended to them or not.

Mt.Gox: No BTC Withdrawals Until

Transaction Malleability Fixed

In a draft release made available via IRC freenode/#mtgox just now, Mt.Gox states that it will not resume BTC withdrawals to outside addresses until a flaw in the Bitcoin protocol that makes “transaction malleability” possible has been fixed.

The news announcement outlines the Transaction Malleability issue and concludes:

To put things in perspective, it’s important to remember that Bitcoin is a very new technology and still very much in its early stages. What MtGox and the Bitcoin community have experienced in the past year has been an incredible and exciting challenge, and there is still much to do to further improve.

MtGox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers.

More information on the status of this issue will be released as soon as possible.

We thank you for taking the time to read this, and especially for your patience.

Best Regards,

MtGox Team

The announcement comes after close of business at 19h00 JST with traders already anxious when Mt.Gox failed to make a statement by 5pm JST. Staff were on the freenode/#mtgox IRC channel to respond to queries and one of the first questions were: “Are you insolvent?” to which came the reply: <SarahCoinBit> No.

The current lockdown of all BTC comes in the wake of months of BTC transaction failures caused by bugs in their custom exchange wallet software. The exchange had failed to communicate the exact reason for their technical woes in previous months, leading to rumors and speculation of pending insolvency. Mt.Gox customer disgruntlement reached fever pitch over the weekend after Mt.Gox halted all BTC deposits and withdrawals last Friday with a brief announcement explaining only that their system needed to be in a “static state”.

Bitcoin Developer, Greg Maxwell, stepped to the podium, via Reddit, to give a technical explanation of the difficulties being experienced by Mt.Gox – something they could easily have done themselves as the nature of the compound problems became evident in past months. Today’s announcement confirms Maxwell’s explanation and Mt.Gox has officially appealed to the Bitcoin core developers to fix the transaction “malleability” flaw.

Although the cat is out of the bag now, the Bitcoin community is still concerned about Mt.Gox communication policy. Lack of transparency and outright failure to reply to communications resembles that of a “couldn’t care less” bank and not that of a stake-holding partner in a close-knit Open Source innovation. There are also untold numbers of customers who had effectively been told to “talk to the hand” since September last year. Their ire and frustration has created much negative sentiment toward Mt.Gox and one can only surmise that their collective action will be to sell or abandon ship once BTC withdrawals are re-enabled. Hence, Mt.Gox would be responsible for more volatility in the BTC price chart – an eventuality that investors and stakeholders have been trying to avoid on the eve of mainstream adoption.

With the information made available today it is apparent that the entire Bitcoin community (and Bitcoin itself) will benefit from planned security fixes. However, some uncomfortable questions remain as to why this issue had not been addressed earlier. According to Maxwell it had been fixed via tightening transaction signature encoding, yet now Mt.Gox are declaring it an existing security flaw.

Why Mt. Gox, the World’s First Bitcoin Exchange, is Dying

“I think I just witnessed Mt. Gox die today. I didn’t get my bitcoin, but glad I came and tried.” - Reddit user ‘CoinSearcher’, after conducting a three-day protest at Mt. Gox’s headquarters in Tokyo.

Mt. Gox, the world’s original and once-largest bitcoin exchange, appears to be in a state of disarray after it suspended bitcoin withdrawals to work on what it said were technical issues. Meanwhile, the clamour of angry customer voices is growing.

The exchange’s moves have had a negative impact on the bitcoin markets. The price of 1 BTC plunged from $850 at the start of the week to $681, according to the CoinDesk Bitcoin Price Index, in the wake of the Gox announcement. It has promised an update on Monday 10th February (Japan time).

The internal workings of Mt. Gox have long been the focus of discussion in the bitcoin community. Users have reported delays in obtaining a ‘verified’ account there after submitting the required identification documents.

Frustrated bitcoin owners have also written about unresolved customer service requests after suffering delays in withdrawing funds from the exchange, with some taking to Twitter to express their opinion on it.

70% polled cannot withdraw their money

A CoinDesk survey of readers who use Mt. Gox has found that nearly 70% of respondents have not received their funds after making withdrawal requests from the exchange. Some 914 respondents said they were still waiting to receive their funds. The median waiting time was between one and three months, with 22% reporting wait times of between one week and a month.

About a third of respondents said they did successfully withdraw funds from Mt. Gox – many of whom had short waiting times. About half reported receiving their funds within a week.

But for everyone else, the waiting game continued. The CoinDesk survey revealed that having a ‘verified’ or ‘trusted’ account at Mt. Gox did little to reduce withdrawal delays.

The majority of CoinDesk readers polled, or more than 85%, said they had ‘verified’ or ‘trusted’ accounts at Mt. Gox. Some 68% of verified account holders, or 822 respondents, said they were still waiting for their withdrawal from the exchange. The median waiting time was between one and three months, and 78% of verified account holders polled said they had been waiting for up to three months.

The CoinDesk survey has attracted more than 2,800 responses since it went live on 4th February.

Reddit user flys from Australia to Gox for sit-in protest

It took a lone protestor to bring the simmering dissatisfaction with Mt. Gox to a boil. Flying for 16 hours from Australia to Japan for a three-day sit-in on a quest for answers as to the fate of his large bitcoin balance, the protestor, known on Reddit as ‘CoinSearcher’, eventually confronted CEO Mark Karpeles and business development manager Gonzague Gay-Bouchery.

CoinSearcher appeared to alleviate some users’ fears that the top Mt. Gox executives had vanished. Gay-Bouchery’s explanation that most of Mt. Gox’s bitcoins were kept in secure, and not quickly accessible, physical cold-storage in multiple locations made sense to many.

“Because Gox is the best known of all the exchanges, we have been under the regulatory spotlight,” Gay-Bouchery told the protestor, adding:

“This has created problems with government agencies, and also with our banking partners [...] there are also some ongoing investigations, which we cannot talk about.”

Gay-Bouchery refuted data published by The Gox Report that the exchange had a backlog of 40,000 BTC – worth about $34m at the time – that had not been processed, saying that the figure was “not correct” (Mt. Gox subsequently altered its API to cut off real-time information to sites like The Gox Report). He reiterated the company’s claim that withdrawal problems were merely a technical issue, and that “all the coins are safe”.

“There was a general consensus amongst the participants that Mt. Gox was finished as an exchange. They acknowledged that Mt. Gox had played an important role in propelling bitcoin to what it is today, but its decline and ultimate closure was inevitable.”

A spread that was too good to be true

One of the clearest signs that all was not well on Mt. Gox was the exchange’s quoted US dollar price for bitcoin. Quoted prices on Mt. Gox began to diverge sharply from two other major exchanges, Bitstamp and BTC-e, last July. The initial spread shows Gox prices trading at several percentage points above the other exchanges throughout that month.

By the end of August, however, the divergence hit double-digits. Gox prices were more than 19% above BTC-e’s prices on 22nd August, for example. Although the spread oscillated in the following months, it consistently exceeded the 10% mark.

In the run-up to the freeze on Gox, on 28th January, the gap between Gox and Bitstamp’s rates stood at 20%, while the same measure between Gox and BTC-e stood at 26%.

The persistent price differences seemed to be a flagrant violation of the ‘law of one price’ – the economics concept that posits that the price of a freely traded good should be equal across all open markets.

In theory, the massive price differences between the exchanges suggested that there was a persistent arbitrage opportunity to buy bitcoin cheaply on Bitstamp or BTC-e and sell them at a double-digit premium on Mt. Gox.

But as the CoinDesk survey shows, Mt. Gox customers have consistently failed to withdraw their funds from Gox over at least the last three months, when the spread was widest. This suggests that in practice, most opportunists transferring currencies to Gox to take advantage of a higher sale price would have failed to get their funds out of the exchange.

A measure of desperation

“There was a general consensus amongst the participants that Mt. Gox was finished as an exchange.”

The seemingly incredible arbitrage opportunity and Gox’s withdrawal freeze are linked. The roots of the Gox premium can be traced back to June, when the exchange announced it was putting US dollar withdrawals on a “temporary hiatus”.

It later transpired that Gox and its founder, Mark Karpeles, had been ensnared in an operation by US federal agents as they moved against the exchange for failing to register as a ‘money service business’.

The US Department of Homeland Security and the Secret Service seized three accounts linked to Gox containing more than $5m. As research from The Genesis Block shows, the executed seizure warrant was dated 19th June, the day before Gox announced it would halt dollar withdrawals.

All the market observers CoinDesk spoke to agreed that the cause of the Gox premium was the exchange’s persistent withdrawal failures, dating back to June, when US dollar withdrawals were stopped.

As the freeze took effect, Gox customers turned to bitcoin withdrawals as they attempted to get funds out. This worked for a time, but it also increased the volume of bids for bitcoin on the exchange.

“Effectively, the Mt. Gox price reflected the inability to withdraw funds in fiat. This creates only a bid for bitcoin,” said Greg Schvey, co-founder of The Genesis Block.

As a result of the increased volume of bids for bitcoin on Mt. Gox, the bitcoin price began to rise steadily, adding to a widening divergence from prices quoted on other major exchanges.

“We can interpret [the Gox premium] as a measure of fear on the part of customers that they’re not going to get their money back. Their desperation is measured by how much they’re willing to pay for bitcoin [on Gox],” said Garrick Hileman, an economic historian at the London School of Economics.

‘Coding himself out of a mess’

While the exchange has posted a number of notices on its website announcing withdrawal delays, its top executives have remained silent on the matter. The company has posted a notice of delays on its main trading page since the beginning of 2014, originally citing a backlog caused by Japanese New Year business holidays as the cause.

One prominent technical member of the bitcoin community thinks he knows what’s behind the current withdrawal freeze. Andreas Antonopoulos, who recently joined Blockchain.info as chief security officer, says he has studied exchange technologies over the past 15 years. His verdict on Gox’s withdrawal freeze, as an outsider, is scathing:

“Mt. Gox has built an exchange based on a hodgepodge of technologies that are really not suitable for running an exchange. And it’s being run by people who don’t really have experience building and operating scalable systems.”

Antonopoulos outlined what he believes to be the technical reasons behind the Gox freeze. The root of the problem lies in its decision to use a version of the bitcoin client it customised itself, rather than the standard client. As a result, Gox handles the protocol with some discrepancies.

One of those discrepancies, as Antonopoulos understands it, is the way transactions are propagated through the network. A miner on Gox, for example, will prematurely be credited for a new block before the network has a chance to confirm the transaction. As a result, when the transaction hits the bitcoin network to be corroborated, it is rejected. Gox’s solution is to cancel the initial transaction and resubmit it until it is approved.

“This is like putting a Band-Aid on the problem. Gox should not be generating non-standard transactions in the first place. Band-Aids like this will further exacerbate scalability problems,” Antonopoulos said.

In the case of the mining example, the cancelled and resubmitted transactions cause delays in fulfilling withdrawal requests within Gox. This doesn’t necessarily cause huge problems unless the system is under pressure from an external factor, like a spike in withdrawal requests, for example.

“When transactions increase, then there are more delayed transactions, which can cause a panic. It just snowballs,” Antonopoulos said.

A lack of detailed comment or response from Mt. Gox to users or the media has only increased customer concerns about the fate of their money. The company’s location in Japan – where outsiders’ access to information is often limited by a language barrier – has shielded the company from the kind of scrutiny a US-based operation would receive. Furthermore, Gox’s chief executive has made little attempt to address the issues publicly.

“I’ve heard that Mark [Karpeles] has rolled up his sleeves and is trying to code himself out of this mess,” Antonopoulos said. “It’s clear that he lacks the expertise to fix this other than applying another Band-Aid. The things they’ve done in the past won’t get them out of this.”

Looming insolvency?

Roger Ver declared last July he had looked at Mt. Gox’s books and determined it had plenty of fiat currency in the bank, and that withdrawal delays were not being caused by a lack of fiat. He was still optimistic the exchange would fulfill its obligations.

“I don’t have any special insight into Mt. Gox at the moment, but if I had to guess, I think they have the bitcoins and the fiat,” he told CoinDesk.

“I actually think, in the long run, this will be good for bitcoin because it will be clear to the world that there is an open invitation for true professionals to quickly dominate the bitcoin exchange industry.”

Bobby Lee, CEO of exchange BTC China, which actually eclipsed Mt. Gox’s trading volumes at times in 2013, said he also accepted its official explanations. While he didn’t see its immediate problems reaching China, he said negative stories about a company the size of Mt. Gox “could put a damper on the whole bitcoin ecosystem”.

“I was actually quite surprised to hear about the suspension of bitcoin withdrawals at Mt. Gox,” he said.

“Their explanation is plausible, about the need to diagnose a technical situation, which thus requires the halting of bitcoin transfers. Running an exchange is a complex job, especially with a large audience, and when dealing with a real decentralized currency like bitcoin.”

“Their restrictions and delays on fiat currency withdrawals seem suspicious to me, as there is no adequate explanation for that.”

He went on to say: “Regarding the BTC withdrawal limitations, since they promised to give everyone an update on Monday, I would give them the benefit of doubt at this point. It would also help customers understand better, if Mt. Gox can make a clear statement about their overall solvency status.”

Antonopoulos’ technical appraisal of Gox may be damning, but he stops short of indicting the exchange for being fraudulent. He pulls no punches with his verdict on their business acumen, however:

“I do not think Gox has solvency problems. It’s simply a business being run in an amateurish way, in a market that is far more demanding than can support amateurish operations.”

CoinDesk also contacted US exchange and payment processor Coinbase, but it declined to comment.

Innocent beginnings

Mt. Gox, owned by a company called Tibanne Ltd, was the largest bitcoin-fiat currency exchange from 2010 until last year. It started life in 2009 as a place for players of Magic: The Gathering to trade cards. Tibanne is run by Mark Karpeles, who acquired the exchange from founder Jed McCaleb in 2011.

In its four-year history, the pioneering exchange has suffered hacking attempts, DDOS attacks, and the same regulatory issues that have plagued other bitcoin businesses.

Along with technical issues, the glare of law enforcement’s spotlight since April 2013 has seen Mt. Gox’s US dollar market-share plunge from over 70% in April to about 19% now, significantly behind Europe’s Bitstamp and BTC-e with 30% and 24% respectively.

Mt. Gox is also the subject of a current $75m lawsuit from former partner CoinLab, which it has also countersued for $5.5m.

Legacy of resilience?

One of the recurring themes in Mt. Gox’s story is its ability to recover from seemingly insurmountable setbacks, be they bank account seizures or electronic theft. The media has made a habit of chronicling the ‘fall of Mt. Gox’ (Wired, Business Insider), with CoinDesk being no exception – only to be proven wrong when the exchange’s volumes bounce back. Some market watchers remain reluctant to count Mt. Gox out, even with its current freeze on withdrawals.

“Every time it’s had some seemingly crippling issue, it’s always managed to maintain market-share,” said Schvey of The Genesis Block.

Mt. Gox’s historic position as the dominant exchange in the global cryptocurrency economy appears to have helped it build a valuable brand that has linked it inextricably with the growth of bitcoin itself. As new bitcoin users flood into the cryptocurrency economy – which has grown from a market capitalisation of a $250m just 12 months ago to $8.6b today – many of these new investors start their cryptocurrency education at the foot of Mt. Gox.

“New buyers come in and they don’t know the history. There is a lot of brand recognition, and it’s going to take time for that brand to be completely destroyed through incompetence,” said Antonopoulos.

The Mt. Gox freeze may have dampened the price of bitcoin, but Schvey, for one, believes the impact has already been priced in.

“We saw major sell-offs on Gox, but the market impact looks like it’s largely been realised at this point. As soon as people get their money out, other exchanges will pick up [market-share],” he said.

In Antonopoulos’ view, however, the story of Mt. Gox isn’t one of resilience in the face of adversity. Instead, the constant breakdowns in Tokyo tell a tale of gradual disintegration, with each breakdown or withdrawal freeze jolting the firm closer to the edge. He said:

“They will keep causing crashes in the bitcoin network until everyone abandons them, so abandon them sooner rather than later. Not because they’re frauds, but because they are amateurish – clownish – in their operations.”

This article was co-authored by Joon Ian Wong, Jon Southurst and Emily Spaven.

Editor’s note: The CoinDesk Bitcoin Price Index committee has recently been reviewing Mt. Gox’s inclusion in the BPI. Friday’s announcement from Gox about halting bitcoin withdrawals has added more fuel to the discussion. Any changes that are made will be announced on CoinDesk. Feel free to let us know your thoughts in the comments.

I was going to start this article by stating: “Mt. Gox needs to get its shit together.”

But its too late for that. Much too late.

Mt.Gox has been the dominant Bitcoin exchange pretty much since the beginning. In its brief history, it has suffered several bad setbacks, with the one last spring an incident I am intimately familiar with. There were plenty of reasons to give them a pass in the past, and many of us did. It was early. It was a complete and total Wild West and all of us interested were learning this thing together. There were bound to be some major growing pains. Gox made some changes, came back up and a great deal was forgiven. Not this time.

Bitcoin is no longer in Phase 1 of its evolutionary cycle. I believe Phase 2 for Bitcoin began in earnest back in November 2013, when the Senate Committee on Homeland Security and Governmental Affairs held its first hearings on the topic. Those hearings made it clear that, at least for the moment, no significant roadblocks would be put in place to prevent people from transacting with one another using the crypto-currency. Phase 2 also saw the largest Bitcoin investment to-date, a $25 million infusionled by Silicon Valley VC firm Andreessen Horowitz, as well as acceptance by major U.S. retailers, with Overstock being the most significant. Bitcoin is becoming serious, and serious means serious accountability.

As a free market currency, the market will decide the products required to keep the Bitcoin protocol open and functioning to its highest potential. The disruption of Mt. Gox will be another test for Bitcoin. A test which certainly represents a psychological challenge, but probably not much more than that. Bitcoin will survive and come out of this stronger than it was before, just as it has done so many times in the past. However, I do not believe Mt. Gox will be so fortunate.

Mt. Gox is likely to continue to lose customers on its way to ultimately becoming marginalized as an exchange. In fact, Bitstamp is already trading more volume than Mt. Gox and I’d expect this lead to grow going forward. It also provides opportunities for more market players, although the various government rules and regulations out there have definitely stalled such growth, particularly in the U.S., which is not host to any exchange of significance.

Personally, I do not see how anyone is going to feel comfortable trading or holding sizable BTC balances on Mt. Gox after this fiasco.After all, being able to move your bitcoins from one place to another is the most fundamentally important part of the protocol. If people begin to question the ability to do this, they may start to question the usefulness of Bitcoin itself, which is not something any of us want to see.

That said, Mt. Gox’s decline is nothing new, as it had already begun following the serious issues early last year. Coindesk reports that:

For example, on 16 April, the number of bitcoins traded on Mt. Gox alone equaled 572,186 BTC (90% of the total of the three exchanges).

In contrast, on 18 December there was a roughly equal dispersion across BTC China, Mt. Gox and Bitstamp, with a volume of 93,934, 109,723, and 137,070 BTC respectively.

Now here’s a really powerful graph showing thevolume traded on the top three exchanges that demonstrates what I am talking about:

As you can see, Mt. Gox has already been in decline, and I expect that to accelerate going forward. In fact, the price on Mt. Gox usually trades at a significant premium to Bitstamp, but is right at this moment trading at a $40 discount. This is not good.

What I really want to see is Mt. Gox resolve this issue as soon as possible so that the Bitcoins tied down with them are released and can be freely moved around by their owners. If this happens soon, Bitcoin will rapidly emerge from this difficult moment much stronger and hopefully with some more important lessons learned.

There are some serious issues going on at the Mt. Gox bitcoin exchange. With millions of dollars seized by United States authorities and inexperience in the realm of finance, the exchange has hit a wall at full speed, announcing on Friday they areunable to process withdrawals due to overwhelming requests. A sure sign there isn’t enough money on hand, the bitcoin community has reacted with major sell-offs, bringing the price per bitcoin to an all-time low this year of $619.

Some news publications have deemed the exchange dead already, except for the fact that it isn’t — yet. Gox has found itself limping along, with trading on the platform continuing (despite over one hour of downtime on Saturday).

Awaiting Monday

Gox has vowed to make a follow-up statement on Monday regarding the condition of withdrawals, though the bitcoin world is desperately awaiting news that will either confirm the exchange’s integrity, or prove its insolvency.

But if the exchange’s history of communicating with customers is anything to go by, we can probably expect a statement shrouded by smoke and mirrors, leaving users uncertain about what will happen to the exchange — and more importantly, to their funds.

All empires collapse. This may be the last we see of the world’s oldest (and once-largest) bitcoin exchange. But let’s not call it dead until it’s dead.

The StealthBit app had been available on GitHub both as source code and a precompiled download, but the page has now been removed.

Suspicion arose when investigators discovered the precompiled version did not match the source (which more knowledgeable users could examine for themselves and needed to compile before using). The precompiled version contained the malware, whereas the open-source code did not.

The report said:

“Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions.

Additionally, the malware installs a program that continually runs in the background, looking for bitcoin wallet login credentials, which are then sent back to a remote server.”

The browser extensions had innocuous sounding names like ‘Pop-up Blocker’ to avoid detection. Once installed, the trojan also searches the system for anti-malware software and logs unique identifiers (UUIDs) for each infected machine.

Large thefts

At least one Bitcoin Talk Forum user reported a whopping 20BTC theft after installing StealthBit, which was also posted on reddit.

Other investigators noted several similarities between StealthBit and Bitvanity, another piece of notorious Mac malware that stole users’ bitcoins last August. Bitvanity posed as a vanity wallet address generator that harvested addresses and private keys from software like the Bitcoin-Qt client.

StealthBit’s GitHub code repository was stored under the username ‘thomasrevor’ and a reddit user named ‘trevorscool’ posted an announcement about its development there on 2nd February. Last year, Bitvanity’s GitHub code was posted under the name ‘trevory’.

As reported previously on CoinDesk, there are rich rewards for malware and ransomware developers trading in bitcoin thanks to its mostly unregulated and difficult-to-trace nature. Accomplices can be paid, and ransoms collected from anywhere in the world.

Open-source security

The discovery has highlighted the benefits (and issues) that surround open-source software. While the malware was not contained in the open-source version of the code, less able or impatient users may still have trusted the precompiled version on GitHub and installed without a second thought.

The ‘clean’ open-source version, however, allowed programmers to find a discrepancy between the two versions within days of its appearance, leading to speedy warnings of the malware and, hopefully, fewer infections.

Bitsavings Promises 5% Interest on Bitcoin Deposits – Too Good to be True?

A bitcoin deposit service calledBitsavings is offering returns of 5% a month to anyone bold enough to put their savings there.

Users should be advised though, that several such schemes have made promises in the bitcoin world before, and if it sounds too good to be true, it often is.

Despite the name, Bitsavings is not attempting to be a bitcoin bank and seems to be offering users worldwide a chance to buy into its trading scheme, which it says is “working fine thus far”.

The company, whose site went live 60 days ago, is based out of Panama according to a spokesman. Terms and conditions listed on the site state it is subject to the laws of Romania. The deposit address listed on the site, however,had recorded no activity and had a 0 BTC balance at the time of writing.

Update: The company says it changes deposit/withdrawal addresses very regularly “to ensure the safety of customers’ funds”, hence the zero balances.

Arbitrage and hedging

The spokesman went on to explain how Bitsavings made such returns possible, and indeed guaranteed.

“We are offering 5% interest by taking advantage of market volatility and ensuring that we are properly investing all BTC deposits in a way that always earns us a minimum of 5%/monthly (arbitrage techniques, large-scale automated trading to hedge against losses, among others)” he said.

Bitsavings’ operators claim the 5% return is guaranteed to users whether the trading system succeeds or not, saying the company itself will wear all risk.

“We also have pledged to back any losses with our own funds if needed (though we don’t envision that being necessary; with that being said though, you never know and we can’t be too careful).”

Skepticism

The company’s promises have met with skepticism from the community, with some questioning how a commodity with a slowing generation rate like bitcoin could promise 5% returns. Given past experiences with other bitcoin investment schemes promising tantalizing returns, and the mostly unregulated playing field, this is probably not surprising.

Bitsavings’ withdrawal request process is also slightly unorthodox: Anyone wishing to withdraw funds should, according to the site’s instructions, send 0.001 BTC multiplied by the amount they want to withdraw as a fee to automatically trigger the transfer. For example, a depositor with 100 BTC wishing to withdraw 60 BTC would send 0.06 BTC to the address supplied.

Bitcoin interest

A site called Bitdeposit.net sprang up with little fanfare around July last year, offering a 5.3% return after one year to anyone who sent bitcoins. It now appears to be offline, though, and the bitcoin address it published for users to deposit funds has seen few transactions, with no deposits since November 2013.

A Texas man named Trendon T. Shavers promised a more generous 7% per week to depositors through his Bitcoin Savings and Trust (BTCST) business last year, also via arbitrage activity. He raised 700,000 BTC (worth $64m at the time and over $490m today) before being arrested in July for fraud, accused of operating a Ponzi scheme.

Bitsavings’ operators say they have been around the bitcoin community for a few years now, starting with mining their own coins. The team have backgrounds in web development, programming, and venture capital.

Malware Uses Victims’ Machines to Mine Bitcoin Until Ransom is Paid

A new Trojan has been discovered byEmsisoft, producer of PC security software. This is no garden-variety Trojan, however, it is a curious hybrid of bitcoin-mining malware and ransomware.

Whereas most ransomware directly attacks your PC or encrypts files stored on its drives, ‘Trojan-Ransom.Win32.Linkup’ blocks internet access by modifying your DNS and turns your computer into a bitcoin-mining bot at the same time.

Luckily, it shouldn’t be hard to spot when your system has been infected. ‘Linkup’ blocks all internet access bar a bogus Council of Europe website, which will demand personal information and a ‘payment method’ (read ‘ransom’) to unblock your access. Needless to say the Council of Europe has absolutely nothing to do with your internet access and you should not pay anything or enter personal details to regain your service.

In addition to messing around with the DNS, Linkup can also link up to a remote server and pressgang your PC into service as a bitcoin-mining bot. This is carried out via a downloader called ‘pts2.exe’, which extracts a second file, named ‘j.exe’, onto your computer. This is, in fact, a popular piece of mining software called ‘jhProtominer’.

The damage that is likely to be inflicted by the Trojan is limited. jhProtominer only works on 64-bit operating systems, but, even so, that still leaves plenty of computers around the globe to infect.

Malware losing the mining battle

Emsisoft says it will keep a close eye on Linkup as it evolves. Since it is an unusual mix of ransomware and bitcoin-mining malware, it is in a class of its own. Luckily the company has already come up with a way of detecting Linkup and says that the Trojan should not be too dangerous, provided it does not metamorphose into something more sophisticated.

Furthermore, security firms are starting to take notice of the new trend in malware, and just a few weeks ago Microsoft helped destroy the Sefnit botnet, which was also stealing bitcoin mining capacity from people’s PCs. Several other illicit bitcoin mining operations have recently gone the same way.

Another Major Bitcoin Exchange May Be In Deep Trouble After A Bust In Florida

On the surface, the case looks relatively innocuous: Two Miami residents were arrested this week for trying to sell Bitcoin to undercover cops who said they wanted to use the digital currency to buy fake credit cards.

Pascal Reid, 28, and Abner Espinoza, 31, have been charged with money laundering after being approached on LocalBitcoins.com, an online exchange based in Finland, by Florida detectives working in conjunction with the Secret Service.

It's not the first time people have been busted for allegedly trying to use Bitcoin to make illicit purchases.

But Krebs talked to researchers who say it looks like the opening salvo in an attempt to put a lid on LocalBitcoins.com, one of the last remaining venues for purchasing Bitcoin anonymously. The head of BitInstant, another anonymous exchange, was also just charged with money laundering.

LocalBitcoins.com allows users to trade Bitcoin in person by finding the address of buyers and sellers closest to your physical address. That might seem like no anonymity is involved, but in practice actual addresses are never revealed, many transactions occur online, and if the two parties do meet in person, they usually don't ask each other's names. As of December, the site was seeing up to 3,000 Bitcoins traded a day.

The criminal complaints [embedded below] in the two cases shows U.S. law enforcement continues to view the Bitcoin market in somewhat adversarial terms. They also show how large now-shuttered illicit marketplace Silk Road looms in their approach to the digital currency:

"Owing to its high degree of anonymity, Bitcoin is also ideally suited for illegal purchases," the complaint says. "An online illicit website called Silk Road offered the ability to buy narcotics exclusively using Bitcoin. The high degree of anonymity makes Bitcoin a useful medium for laundering money because it is virtually impossible to trace bitcoin transactions to the owner of the bitcoin addresses."

“I’d expect many more state cases like this one because it will act to strangle the lifeblood of the online dark markets,” such as Silk Road, Nicholas Weaver of theInternational Computer Science Institute (ICSI) and the University of California, Berkeleytold Krebs. “If you want a significant amount of anonymous Bitcoins, right now this community is about the only mechanism still available.”

Reid and Espinoza are also being charged with operating an unlicensed money transmission business. Here are the complaints:

Today, Coinmap.org — which shows bitcoin businesses on a convenient map — has reached about 3,000 bitcoin businesses. More and more physical storefronts and businesses are turning to the digital currency for a number of reasons. These include no fees for merchants (the buyer pays the fee), no risk of chargebacks, and speed/ease of use.

Meanwhile, Coinmap.org has 274 litecoin businesses listed, not nearly as popular as bitcoin, but appealing to some businesses nonetheless.

Of course, Coinmap.org is not an indicator of all bitcoin businesses in existence (including the likes of Overstock.com, which doesn’t have a physical retail presence), but the rate at which businesses are added is representative of bitcoin’s popularity amongst merchants.

San Francisco-based Coinbase announced improved security with new API keys on Friday. A good number of users of Coinbase’s services have previously experiencing issues with API keys, particularly theft of their funds — so the news is much-awaiting by those in the community.

For starters, the company says users will now have access to multiple API keys, with separate permissions (including IP whitelisting). This means that no longer will users have to share one key between applications (especially if it had global permissions enabled, which increased the risk of something bad happening).

In additional to multiple API keys, Coinbase is now making use of HMAC authentication, which will include an API secret in addition to the key, further improving security.

Old API keys will continue to work, but users are strongly advised to migrate to the new API keys.

To further fortify access to API keys, Coinbase now requires users to input their password or 2-factor authentication code when creating, editing, and viewing API keys. Coinbase will also email a security token whenever a request to enable a disabled API key is made.

Have a chunk of bitcoin you want to sell? SecondMarket might be willing to scoop it up from you. The company, which manages the Bitcoin Investment Trust, has set up a page on their website dedicated to the cause.

SecondMarket is currently buying bitcoin. Any bitcoin holders interested in selling blocks of bitcoin can benefit from our deep knowledge base of the bitcoin markets.

Here are the outlined steps to completing such a transaction, according to SecondMarket:

Seller completes a New Account Profile (NAP) form

SecondMarket notifies seller of approval to trade once compliance procedures are completed

After 6 confirmations on the blockchain network, a wire is sent to the seller’s bank account

SecondMarket provides a FED reference number for tracking purposes

You’ll notice that the minimum transaction size is 25 BTC (a bit under $20,000 at the current exchange rate), so this isn’t for the small-time enthusiast (that’s not to say a small-time enthusiast can’t hold 25 BTC, of course).

It certainly seems like SecondMarket is trying to build quite the collection of bitcoin. Is their investment trust doing a whole lot better than they expected?